CVE-2026-55700: Path Traversal and Arbitrary File Write in pnpm stage download

The pnpm stage download command fetches and stages tarballs from a designated package registry during staging operations. This process involves downloading a package tarball, extracting its embedded package.json manifest, and determining a local staging path to write the artifact. The attack surface is exposed to any network registry or upstream repository configured by the user.\n\nAn attacker who controls a registry or compromises an upstream package can supply a malicious manifest. By embedding directory traversal sequences in metadata fields, the attacker can hijack the target write location. This allows arbitrary file write or overwrite operations under the privileges of the active user executing the command.

The root cause of this vulnerability lies in the unvalidated trust placed in the version and name properties of the package manifest. During staging, pnpm extracts these fields to construct a local cache or staging filename. The application relies on normalizePackageName() to replace slashes and remove symbols, but it performs no validation on the version string.\n\nBecause the version field is untrusted input, an attacker hosting a malicious registry or publishing a compromised manifest can define a version containing traversal sequences. When path.resolve() dynamically resolves the absolute path using this unsanitized string, the resulting destination path escapes the designated download directory. This allows writing the tarball payload to an arbitrary location on the filesystem.

The vulnerable logic resolves the output directory and file write path using the package name and version fields directly:\n\ntypescript\nconst downloadDir = opts.dir ?? process.cwd()\nconst outputPath = path.resolve(downloadDir, filename)\nawait fs.writeFile(outputPath, tarballData)\n\n\nmermaid\ngraph LR\n Registry[\"Malicious Registry\"] -->|\"package.json name/version\"| PNPM[\"pnpm stage download\"]\n PNPM -->|\"Unsanitized path.resolve\"| PathConcat[\"outputPath: /sandbox/../../etc/cron.d/job\"]\n PathConcat -->|\"fs.writeFile\"| OS[\"File Written Outside Sandbox\"]\n\n\nTo patch this vulnerability in commit 65443f4bdf1f0db9c8c7dc58fee25252607e9234, the maintainers introduced strict validation checks on the derived filename. The fix utilizes standard validation libraries to enforce format rules on both the package name and version before deriving the filename. Package names are validated using validate-npm-package-name, and semantic versions are validated using the semver validator, which blocks path traversal characters like / or .. from passing. Additionally, the path resolution step now enforces that the parent directory of the final absolute output path strictly matches the intended download directory.

An attacker exploiting this vulnerability must control the package registry or intercept the package response to inject a crafted manifest. When the victim executes pnpm stage download, the client issues a request to the configured registry.\n\nThe registry responds with a package payload containing a crafted package.json. In this manifest, the version field is set to a relative traversal path, such as 1.0.0/../../../../etc/cron.d/malicious_job.\n\nUpon receiving this response, pnpm builds the destination path using the malicious string and writes the tarball. The tarball's binary content is written directly to the target system path, enabling potential local privilege escalation (LPE) or persistent execution when the system triggers the written file.

The integrity impact is rated as High because an attacker can overwrite arbitrary files accessible to the execution context. Depending on whether pnpm is run by a standard user or an administrative CI/CD service, the impact ranges from local source code modification to full system compromise.\n\nThe availability impact is Low because overwriting critical system configuration or executable files can cause system services to fail. The vulnerability holds a CVSS v3.1 score of 7.1, reflecting that network-level positioning is sufficient to initiate the attack, provided user interaction (running the command) is achieved.\n\nCurrently, there is no active exploitation reported in the wild, placing the EPSS score at a low baseline. However, the presence of public regression tests acts as a functional Proof-of-Concept, making rapid exploitation feasible if target conditions are met.

Users must update pnpm immediately to version 11.5.3 or higher. This release contains the complete structural and semantic verification mechanisms to block directory traversal payloads in both the package name and version fields.\n\nIf immediate patching is not possible, restrict network communication to trusted registries and verify that package registries employ robust metadata sanitization before distributing packages to downstream clients.